docker login 自托管注册表 = x509:由未知机构签署的证书
[英]docker login self hosted registry = x509: certificate signed by unknown authority
问题描述
I am new to docker and trying to setup my registry for docker swarm.
我是 docker 新手,正在尝试为 docker swarm 设置我的注册表。
I have three debian installations interacting with each other:我有三个相互交互的 debian 安装:
- registry登记处
- website网站
- database数据库
Trying to setup my database separate from my website and my registry separate too.尝试将我的数据库与我的网站和注册表分开设置。
My registry machine also hosts a website let say vmreg.com managed by letsencrypt ssl certificates.我的registry machine还托管了一个网站,比如说由vmreg.com ssl证书管理的letsencrypt 。 I use this certificate to sign both my website and registry.我使用此证书来签署我的网站和注册表。
docker run -d --restart=always --name registry -v $(pwd) /etc/letsencrypt/live/vmreg.com:/etc/letsencrypt/live/vmreg.com -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/letsencrypt/live/vmreg.com/domain.crt -e REGISTRY_HTTP_TLS_KEY=/etc/letsencrypt/live/vmreg.com/domain.key -p 5000:5000 registry:2 docker run -d --restart=always --name registry -v $(pwd) /etc/letsencrypt/live/vmreg.com:/etc/letsencrypt/live/vmreg.com -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/letsencrypt/live/vmreg.com/domain.crt -e REGISTRY_HTTP_TLS_KEY=/etc/letsencrypt/live/vmreg.com/domain.key -p 5000:5000 registry:2
On my database machine I can login just fine: echo "password" | docker login -u username --password-stdin vmreg.com:5000在我的数据库机器上,我可以正常登录: echo "password" | docker login -u username --password-stdin vmreg.com:5000 echo "password" | docker login -u username --password-stdin vmreg.com:5000
but on my website machine I get x509: certificate signed by unknown authority when I try to login但是在我的website machine上,我得到x509: certificate signed by unknown authority当我尝试登录时
Only difference is that my website machine also has its own letsencrypt domain setup.唯一的区别是我的website machine也有自己的letsencrypt域设置。 I don't understand why I get this error.我不明白为什么我会收到这个错误。 Is it a possible conflict ?有可能发生冲突吗?
Solutions I found online all talk about copying certificates but 1) I have not copied any cert on my database machine and 2) I don't understand why I would need to copy certificates from the registry server to a client;我在网上找到的解决方案都在谈论复制证书,但是 1)我没有在我的database machine上复制任何证书,并且 2)我不明白为什么我需要将证书从注册表服务器复制到客户端; that makes no sense to me because what happens when I renew my certs这对我来说毫无意义,因为当我更新我的证书时会发生什么
2 个解决方案
解决方案1
0 2022-06-12 09:18:33
but on my website machine I get x509: certificate signed by unknown authority when I try to login
I always had to follow " Verify repository client with certificates " when establishing a new Docker registry (usually one based on Nexus3 for instance).在建立新的 Docker 注册表(通常是基于Nexus3的注册表)时,我总是必须遵循“使用证书验证存储库客户端”。
That means:这意味着:
/etc/docker/certs.d$ mkdir vmreg.com
/etc/docker/certs.d$ cp /etc/letsencrypt/live/vmreg.com/domain.crt vmreg.com/
解决方案2
0 2022-06-12 14:58:59
It looks like you're missing the latest certificate bundle, and LetsEncrypt had to update their root CA after their original provider's certificate expired .看起来您缺少最新的证书包,并且 LetsEncrypt 在其原始提供商的证书过期后不得不更新其根 CA。 This is normally handled on Debian by running:这通常在 Debian 上通过运行来处理:
apt-get update
apt-get install ca-certificates
However, if that doesn't solve it, it may be because of older versions of Debian.但是,如果这不能解决问题,可能是因为 Debian 的旧版本。 See this SF post that describes how to solve it.请参阅描述如何解决它的这篇 SF 帖子。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.